Home > News & Events > Speeches and Testimony |
|||
Speeches and Testimony |
Testimony
Before the Committee on Banking and U.S. House of Representatives September 17, 1998
Mr. Chairman and Members of the Committee, I am pleased to be here today
to discuss the Federal Deposit Insurance Corporation's (FDIC) progress
in addressing the Year 2000 challenge. I would like to note that, while
I am speaking about FDIC Office of Inspector General (OIG) work, my
counterparts at the Department of the Treasury, the Board of Governors
of the Federal Reserve, and the National Credit Union Administration
have submitted their statements for the record. The upcoming Year 2000
date change is a challenge that all financial regulatory agencies are
addressing. As such, the management officials and Offices of Inspector
General of our respective agencies have been working together to
aggressively address the risks posed by this unprecedented technological
challenge. My remarks will touch upon some of the common Year 2000
issues that the financial regulatory agencies are addressing related to
the institutions they oversee. My principal focus, however, will be on
FDIC's Y2K activities-internally and with respect to the institutions
that it supervises, the work of my office to help ensure the success of
the Corporation's efforts, and the tasks that remain as we approach the
millennium.
Y2K POSES SIGNIFICANT CHALLENGES FOR FDIC AND OTHER FINANCIAL
INSTITUTION REGULATORY AGENCIES
FDIC, independently and in cooperation with the other members of the
Federal Financial Institutions Examination Council (FFIEC), must
overcome the technological difficulties posed by the Year 2000 date
change. In addition to addressing the issues impacting their internal
operations, the agencies must effectively oversee the efforts of
financial institutions in addressing Y2K concerns. FDIC's role as
insurer of deposits presents additional issues that must be addressed in
an air of uncertainty and unbending time constraints. As a result, FDIC
has established Y2K as the number one safety and soundness issue facing
financial institutions.
FDIC and its fellow FFIEC members have worked closely and diligently in
addressing Y2K issues impacting financial institutions. These agencies
have structured their Y2K efforts based on guidance published by the
U.S. General Accounting Office (GAO) and the Office of Management and
Budget (OMB). The guidance establishes a five-phased approach for
addressing the Y2K situation-awareness, assessment, renovation,
validation, and implementation. To promote awareness, FDIC,
independently and in conjunction with the FFIEC, conducted awareness
briefings, created a Y2K Internet homepage, held seminars, issued
guidance to financial institutions, and published an information
pamphlet for use by the general public. It is important that the
various regulatory agencies adopt a consistent approach when rating the
Y2K readiness of the institutions they supervise. To that end, the
FFIEC member agencies have developed and presented a common training
program for their examiners, adopted a unified examination work program
for conducting Y2K examinations, implemented a process for exchanging
and tracking information related to examination results, and performed
joint examinations of certain large institutions.
For its part, FDIC must work to ensure that its internal operations are
sustained following December 31, 1999. FDIC has 370 systems, 39 of
which it has identified as mission critical, that are scheduled to
continue operating into the year 2000 and beyond. FDIC must correctly
renovate, test, and implement these systems. In addition, hardware that
is not Y2K-compliant must be replaced, telecommunications equipment must
be upgraded, and issues related to sustaining operational support for
FDIC's facilities must be addressed. Effective and tested contingency
plans must be developed in the event that any of these support systems
malfunction. FDIC has implemented an aggressive program to address its
internal Y2K challenges and has restructured its milestones in
accordance with GAO and OMB guidance.
FDIC must also actively address a number of other issues unique to its
role as insurer of deposits as agencies and businesses enter the most
critical phases of their Y2K efforts. Specifically, as FDIC examines
and assesses the progress of Y2K activities at financial institutions,
its main focus will be on the institutions' testing, external data
exchanges, and contingency planning efforts. It must also work closely
with other financial institution regulatory agencies as they examine
institutions whose deposits are insured by FDIC. In addition, FDIC must
determine what impact Y2K examination ratings should have on deposit
insurance premiums and consider possible enforcement actions and
resolution strategies in the event institutions do not adequately
prepare for Y2K and experience technological failures.
I can provide this Committee assurance that overall, the Corporation's
Year 2000 efforts to date have been well conceived and executed.
Additionally, the Corporation has taken appropriate and timely action in
response to suggestions the OIG has made.
COOPERATIVE EFFORTS OF REGULATORY OFFICES OF INSPECTOR GENERAL AND
INDEPENDENT FDIC OIG EFFORTS AND RESOURCES ARE DIRECTED TOWARD PROVIDING
VALUE TO THE FFIEC AND FDIC
Similar to the cooperative approach adopted by the financial regulatory
agencies, my office has been working closely with the Offices of
Inspector General (OIG) from the Board of Governors of the Federal
Reserve, the Department of the Treasury, and the National Credit Union
Administration in addressing Y2K issues. Representatives from my office
and these OIGs meet frequently to discuss approaches, issues, and
solutions. We believe this sharing of ideas is crucial to providing
valuable, timely, and effective input to our respective agencies, the
FFIEC, and the Congress. Our collaborative efforts have focused on
every facet of the Y2K situation, with particular emphasis on
consistency in approach to examination ratings. Such consistency is of
particular concern to FDIC because the Corporation insures deposits in
over 10,000 institutions, some of which fall under the jurisdiction of
the other financial regulators.
My office began reviewing Y2K activities in February 1997 and has
steadily increased its efforts in this important area. To ensure that
our work is timely and benefits the Corporation, we have developed a
proactive approach to our Y2K review. As we develop observations
regarding the Y2K process, we immediately brief corporate management on
our observations and issue periodic advisory memorandums. By conducting
our work in this way, we can provide observations and suggestions and at
the same time lessen management's burden of formally responding to audit
findings and recommendations. Management has been responsive to this
approach and has reacted promptly to our observations.
Our Year 2000 work is twofold: we are examining FDIC's internal efforts
to ensure its own Year 2000 readiness as well as its efforts to ensure
readiness of the financial institutions that it supervises. Our work is
designed to determine whether (1) FDIC is following a structured and
effective approach in planning, evaluating, and correcting its systems
and operations that are affected by the upcoming date change and (2)
FDIC's actions, as an independent financial institution regulator and
member of the FFIEC, ensure that financial institutions have planned and
implemented a structured, effective approach to address Y2K concerns.
We are using criteria and objectives published by GAO and OMB in
performing our work. For supervisory activities, we are also using
guidance and criteria published by the FFIEC.
To address audit objectives related to internal FDIC operations, my
office reviewed the Corporation's detailed plans, policies, and
procedures for implementing the Y2K program. We interviewed FDIC's
Division of Information Resources Management's Y2K program manager and
other personnel on the project team, reviewed the 58 contingency plans
for FDIC's 39 mission critical applications, contingency procedures for
FDIC's mission critical systems, and the business recovery plan for
FDIC's data center. We also have performed a preliminary review of
documentation supporting renovation activities related to 28 of FDIC's
internal application systems.
To address our supervisory or external audit objectives, we evaluated
Y2K field examinations for completeness, accuracy, and consistency of
approach to ratings; evaluated the criteria used to assign Y2K ratings;
and reviewed guidance and the work program for the Corporation's Phase I
and Phase II examinations-its initial exams and those planned for
October 1998, respectively. We have completed our review of Phase I,
which included institutions' Y2K awareness and assessment efforts. We
have also attended FFIEC-developed training courses for examiners and
seminars for banking officials to assess course effectiveness.
INTERNAL Y2K REVIEW HAS RESULTED IN OBSERVATIONS FOR MANAGEMENT
CONSIDERATION
In addition to frequently discussing the results of our work with
corporate management, we have issued three advisory memoranda to
management detailing our observations regarding FDIC's internal Y2K
program. In an August 11, 1997, memorandum, we observed that to foster
awareness, the Corporation had effectively communicated the need to
address the Y2K problem throughout the Corporation and had implemented
an effective strategic plan to ensure corporate-wide compliance by
December 31, 1999.
Subsequent to issuing that memorandum, our office began a detailed
review of FDIC's implementation of the successive phases of the Y2K
program, starting with the assessment phase. Our work in this area
followed a GAO review of FDIC's Y2K activities conducted between
December 1997 and January 1998. GAO was concerned that FDIC was taking
longer to assess its systems than was warranted and recommended that
FDIC complete its assessment phase by March 1998. In addition, GAO
recommended that FDIC develop contingency plans for its mission critical
systems and core business processes and recommended that those plans be
developed by the end of February 1998.
In response to GAO's recommendations, FDIC's Acting Chairman established
Y2K as the Corporation's number one priority. FDIC proceeded to
restructure its Y2K program to meet GAO's recommended Y2K milestones and
developed contingency plans for all mission critical systems during
March 1998. Our work showed that the Corporation had completed most
assessments by March 31, 1998, and all assessments were completed by
April 1998.
On May 27, 1998, we issued another memorandum on FDIC's internal Y2K
program citing the following issues that warranted management attention:
Y2K Cost Estimates: In the initial stages of our review, FDIC had not
determined the total cost of addressing the Y2K situation, internally
and in its supervisory role. FDIC's initial focus was on estimating
costs of the Corporation's internal Y2K efforts. Based on discussions
with our office, FDIC began to collect estimates of the total cost to
implement both aspects of its program. After updating its cost
estimates for the internal program and including the costs of
supervisory efforts, FDIC increased its estimate for addressing the Y2K
problem from $24 million to $85 million. Thus, decision makers had a
more comprehensive understanding of the true magnitude of the
Corporation's Y2K efforts and all associated costs.
Certification: Our review of the Corporation's process for certifying
systems as Y2K compliant indicated that the process should be expanded
to ensure that all parties involved in renovation and testing agreed
that the application was Y2K-compliant. We suggested that FDIC develop
a certification process that included certification and sign-off by the
Division of Information Resources Management program manager, the client
program manager, the independent tester, and the Y2K program manager.
After we advised the Y2K program manager of our concerns, he implemented
an enhanced and expanded process for certification.
Testing Policies and Procedures: We suggested that testing policies and
procedures be finalized as early as possible and that FDIC's
configuration management program be strengthened to ensure that the
voluminous amount of software changes that will occur as the result of
Y2K fixes are properly controlled. FDIC had started testing
applications already thought to be Y2K-compliant before fully developing
its testing procedures. We suggested that FDIC develop these procedures
before further testing was conducted to ensure testing consistency.
FDIC agreed and developed and published Y2K testing procedures that we
found to be sound and comprehensive. Although FDIC employed effective
configuration management processes for mainframe-based applications,
similar processes and systems were needed for client-server
applications. FDIC management agreed with our suggestion and
implemented an effective configuration management program for
client-server applications.
On July 29, 1998, we issued another advisory memorandum, citing
additional observations for management consideration:
Contingency and Business Continuity Planning: Although the FDIC had
developed contingency plans for its 39 mission critical systems, it had
not developed a comprehensive business continuity plan to integrate all
facets of its core business areas into an overall corporate strategy for
dealing with the Y2K problem. An effective plan should define and
document information requirements, describe methods and techniques to be
used in developing contingency plans, define Y2K failure scenarios,
determine the risk and impact on core business processes and the
information technology infrastructure, and describe the minimum
acceptable level of output needed for the core business processes. We
suggested that FDIC's Y2K Oversight Committee develop a corporate-wide
business continuity plan using GAO guidelines. The Y2K Oversight
Committee Chairman agreed that such a plan should be developed and
requested that our office assist in the development by acting as an
advisor and reviewing the documents produced. We are currently advising
the task group as it develops the business continuity plan.
Further, most of the contingency plans developed for FDIC's mission
critical systems did not contain detailed procedures for implementation.
The contingency plans did not include specific steps for deployment or
implementation schedules. In addition, the alternative processes and
systems cited in the plans had not been developed, and testing of the
plans had not been scheduled. We suggested that users of the mission
critical systems develop more comprehensive contingency plans and that
the processes cited in the plans be tested to ensure that they would be
ready to implement well before the year 2000. Project management
returned the plans to the users with instructions to develop the plans
and related procedures in accordance with guidance provided by GAO.
We reviewed the resulting revisions and observed a need for additional
improvements. Specifically, some plans identified several approaches
that should be considered for continued operations and did not recommend
a specific approach. FDIC must first determine which approach is most
feasible and then develop related procedures. Further, in many
instances, the procedures described in the plans and triggers for
implementing the procedures had not been developed or tested. In
addition, testing schedules and schedules for disseminating instructions
for the contingency procedures had not been developed. We recently
communicated these observations to management officials, and they
indicated that plans with these deficiencies would be returned to user
organizations for correction. Additionally, FDIC has initiated actions
to contract for assistance in preparing contingency plans and
procedures.
Renovation on Schedule: In its September 4, 1998 quarterly report to
House and Senate Banking Committee staffs, FDIC indicated that it had
successfully attained its goal of renovating all internal application
systems by August 31, 1998. We performed an initial cursory evaluation
of a sample of applications certified as renovated. Our initial
evaluation confirmed the Corporation's assertion that renovation
activities are complete. We will perform a more detailed review of
renovations as we continue our Y2K work.
SUPERVISORY OBSERVATIONS HAVE RESULTED IN MANAGEMENT ACTIONS TO IMPROVE
Y2K EFFORTS
The OIG has issued two advisory memoranda to management regarding the
Corporation's supervisory Y2K efforts in which we made the following
observations:
Consistency of Approach to Ratings: We informed management that some
institutions were assigned different Y2K ratings even though their
examination results were similar. Rating consistency is an important
issue because Y2K ratings can impact (1) FDIC's Division of
Supervision's (DOS) follow-up actions, (2) the accuracy of information
provided to senior management and outside parties, (3) potential
enforcement actions, and (4) DOS' success in ensuring the readiness of
financial institutions as we approach the year 2000.
DOS assigns each institution a Y2K rating which should reflect the
institution's efforts to ensure that it can continue business operations
without disruption as the calendar changes from 1999 to 2000. DOS has
extensive review processes designed to ensure the accuracy and
consistency of these examination ratings. However, the unique and
unfamiliar nature of Y2K examinations poses significant challenges for
DOS. Currently, DOS procedures call for Y2K ratings to be reviewed by
the subject matter expert in each field office, the field office
supervisor, the cognizant case manager, and an assistant regional
director. In addition to this review process, DOS' Dallas regional
office established a working group to ensure that situations warranting
issuance of formal or informal supervisory actions receive timely
consideration. Part of this process includes review of Y2K ratings.
Our work in Dallas did not detect inconsistent or questionable Y2K
ratings for examinations reviewed by this working group. Subsequent
review work at another DOS regional office did not disclose any rating
inconsistencies. We suggested that DOS establish similar working groups
at other regional offices to ensure rating consistency and accuracy.
Management agreed and stated that similar review processes had been
established in all eight regional offices.
Ratings Based on Commitments: We observed that Y2K ratings were not
always based on a bank's Y2K efforts at the time of examination but
rather on commitments made by the bank to correct noted weaknesses. The
institution was given a higher Y2K rating if it committed to responding
to recommendations for corrective actions within 30 to 60 days and had a
good history of responding to commitments related to safety and
soundness examinations. Although we were skeptical of this method for
rating banks, the method generally appeared to work well for the
assessment phase examinations. However, we believe that ratings for the
testing phase examinations should be based solely on the results of
examination. We suggested that commitments not be used in the rating
process for the testing phase examinations because of the complexity and
time sensitivity of this next phase. FDIC officials agreed and stated
that commitments would not be used for assigning ratings during the
testing phase.
Need for More Detailed Examination Steps: In its February 10, 1998
testimony before a Senate Subcommittee, GAO had expressed concerns
regarding the level of detail called for in DOS' initial examination
workplan. Before DOS incorporated additional steps into its workplan,
we noted some inconsistencies in examination ratings. Therefore, we
reaffirmed GAO's recommendation to incorporate additional steps into the
workplan to assist examiners in definitively and consistently
determining the status of an institution's Y2K efforts. DOS issued
additional assessment steps on March 24, 1998 that addressed the
concerns of GAO and our office.
Proxy Testing: We expressed concerns regarding the use of proxy testing
for banks using service providers. FDIC issued Financial Institution
Letter 38-98 on April 10, 1998, which allows a service provider to test
a representative sample of institutions that use the particular
servicer. The servicer can then share test results with other
institutions using that same service provider. We were concerned that
many banks, small ones in particular, might not have the expertise to
(1) determine whether the proxy test is comparable to their operations,
(2) provide input to test scripts to ensure that the tests simulate the
way they use the software, and (3) effectively review test results and
other documentation from the servicer. Small banks may simply rely on
an assurance letter from the servicer. We believe that small banks must
either contract with an expert to review their testing or join forces
with other banks with similar systems to review tests. We suggested
that examiners advise small banks to explore the possibility of joining
user groups to increase their knowledge of the Y2K situation, methods
and procedures for addressing Y2K concerns, and resources available to
assist in ensuring that their servicer-provided systems are Y2K
compliant. DOS management officials agreed and indicated that they had
provided guidance suggesting that banks form user groups and/or
coordinate their testing efforts with other institutions serviced by the
same servicer or servicers.
SUBSEQUENT Y2K ACTIVITIES ARE CRITICAL TO THE SUCCESS OF THE PROGRAM
FDIC and its fellow financial institution regulators are now entering
the most difficult and important phase of their Y2K efforts, both
internally and in their supervisory roles, that is the validation or
testing phase. Time is of the essence in accomplishing these
responsibilities. As a result, the Corporation has established target
dates for the completion of its internal activities and the activities
of insured institutions. Internally, FDIC must test the renovation of
its systems, make needed corrections, implement the successfully tested
systems, and develop and test contingency plans and procedures that may
be needed in the event that a system thought to be compliant
malfunctions. In addition, the Corporation must replace non-compliant
equipment and ensure that data received from outside sources is Y2K
compliant. Further, it must ensure that facilities and related support
systems are compliant.
We will continue to assess FDIC's progress in testing and implementing
its renovated internal application systems. To accomplish this, we are
in the process of awarding a contract to augment our staff with
contractor personnel who specialize in performing independent
verification and validation testing of renovated applications. We will
continue to assess FDIC's Y2K business continuity and contingency plans
to ensure that the contingency planning process is fully developed and
tested. We will also assess management actions regarding infrastructure
issues to ensure that FDIC facilities are Y2K compliant and that
telecommunication networks will be viable on January 1, 2000 and beyond.
Finally, we will continue working with OIGs from other regulatory
agencies on data exchange issues involving the agencies themselves,
financial institutions, and trading partners.
In its supervisory role, FDIC must accomplish several significant tasks
going forward. The Corporation will be examining the status of Y2K
testing, external data exchanges, and contingency planning efforts at
financial institutions. It must coordinate this work closely with the
other financial institution regulators. FDIC must also determine the
extent to which Y2K examination ratings should impact deposit insurance
premiums, consider enforcement actions if an institution's efforts do
not adequately address the Y2K situation, and develop resolution
strategies in the event institutions are closed because of technological
failures. FDIC and its FFIEC counterparts have been actively planning
for these issues for some time and will soon formalize their approaches.
We will continue reviewing FDIC and FFIEC activities related to
renovation and validation efforts at financial institutions. We will
also continue our review of activities related to ensuring consumer
awareness; defining Y2K failures; incorporating the results of Y2K
examinations into safety and soundness ratings; and planning for the
possible resolution of failed institutions, including estimating the
impact on insurance funds. I remain hopeful that the same spirit of
cooperation will continue to guide the efforts of the FDIC and the
member FFIEC agencies and that collectively, we will meet with success.
Mr. Chairman, this concludes my prepared statement. At this time I
would be happy to respond to any questions you or other Members of the
Committee.
|
Last Updated 06/25/1999
communications@fdic.gov
Home Contact Us Search Help SiteMap Forms Freedom of Information Act (FOIA) Service Center Website Policies USA.gov |
FDIC Office of Inspector General |